A subexponential-time quantum algorithm for the dihedral hidden subgroup problem 
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We present a quantum algorithm for the dihedral hidden subgroup problem with time and query complexity 
20(v^log~/v) jjj ^Yiis problem an oracle computes a function / on the dihedral group Dj\i which is invariant under 
a hidden reflection in Dj^. By contrast the classical query complexity of DHSP is 0{\/N). The algorithm also 
applies to the hidden shift problem for an arbitrary finitely generated abelian group. 

The algorithm begins as usual with a quantum character transform, which in the case of Dj^ is essentially the 
abelian quantum Fourier transform. This yields the name of a group representation of Df^, which is not by itself 
useful, and a state in the representation, which is a valuable but indecipherable qubit. The algorithm proceeds 
by repeatedly pairing two unfavorable qubits to make a new qubit in a more favorable representation of 
Once the algorithm obtains certain target representations, direct measurements reveal the hidden subgroup. 



1. INTRODUCTION 

The hidden subgroup problem (HSP) in quantum computa- 
tion takes as input a group G, a finite set S, and a black-box 
function (or oracle) f . G S. By promise there is a sub- 
group H CG such that f{a) = f{b) if and only if a and b are 
in the same (right) coset of H. The problem is to identify the 
subgroup H. We assume that G is given explicitly; black-box 
groups are a separate topic 113"]. 

Shor's algorithm |22| solves HSP when G = Z in polyno- 
mial time in the length of the output. An important predeces- 
sor is Simon's algorithm L23il for the case G = (Z/2)". Shor's 
algorithm extends to the general abelian case 1 14], to the case 
when H is normal ] 10], and to the case when H has few con- 
jugates 19J. Since the main step in the generalized algorithm 
is the quantum character transform on the group algebra C [G] , 
we will call it the character algorithm. 

In the dihedral hidden subgroup problem (DHSP), G is the 
dihedral group and H is generated by a reflection. (Other 
subgroups of Dn are only easier to find; see Pi'or)osition l2.1l ) 
In this case H has many conjugates and the character algo- 
rithm works poorly. This hidden subgroup problem was first 
considered by Ettinger and H0yer ]7]. They presented an al- 
gorithm that finds H with a linear number of queries (in the 
length of the output) but an exponential amount of computa- 
tion. Ettinger, H0yer, and Knill generalized this result to the 
general finite hidden subgroup problem J3] • 

In this paper we will describe a new quantum algorithm for 
the dihedral group with a favorable compromise between 
query complexity and computation time per query. 

Theorem 1.1. There is a quantum algorithm that finds a hid- 
den reflection in the dihedral group G = Dat (of order 2N) 
with time and query complexity 2'^(^'°8 ^\ 



The time complexity 2'^'^'°s '^^ is not polynomial, but it is 
subexponential. By contrast any classical algorithm requires 
at least 2N^^^ queries on average. Unfortunately our algo- 
rithm also requires 2'^('>/'°s n) quantum space. 
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We will prove Theorem II. II in a convenient case, = 2", 
in Section|3l In Section|5l we will provide another algorithm 
that works for all A^, and we will obtain the sharper time and 

query complexity bound 0(3^^^°^) when = r" for some 
fixed radix r. The algorithm for this last case generalizes to 
many other smooth values of A^. 
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2. GROUP CONVENTIONS 

The dihedral group ZJ^v with 2A' elements has the conven- 
tional presentation 

Da? = {x,y \ ~ y^ — yxyx = 1) . 

(See Artin 0, §5.3].) An element of the form x" is a rotation 
and an element of the form yxf is a reflection. The parameter s 
is the slope of the reflection yx'. This terminology is motivated 
by realizing Dn as the symmetry group of a regular N-gon in 
the plane (FigureQ. In this model yx'^ is a reflection through 
a line which makes an angle of ^ with the reflection line of y. 

In this paper we will describe algorithms for the hidden sub- 
group problem with G — and H — {yx''). If we know that 
the hidden subgroup is a reflection, then the hidden subgroup 
problem amounts to finding its slope s. 

Proposition 2.1. Finding an arbitrary hidden subgroup H of 
Dn reduces to flnding the slope of a hidden reflection. 

Proof. If H is not a reflection, then either it is the trivial group 
or it has a non-trivial intersection with the cyclic subgroup 
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Figure 1: Some elements of Dg. 



Cm = (x) ■ Finding the hidden subgroup H' = H DCn in Cn 
is easy if we know the factors of A^, and we can factor us- 
ing Shor's algorithm. Then the quotient group H/H' is either 
trivial or a reflection in the quotient group G/H'. 

If H is trivial, then this will be revealed by the fact that an 
algorithm to find the slope of a hidden reflection must fail. □ 



3. A BASIC ALGORITHM 

In this section we will describe an algorithm to find the 
slope i of a hidden reflection in Dn when the period N = 2" 
is a power of 2. The main part of the algorithm actually only 
finds the parity of s. Once this parity is known, the main part 
can be repeated with a subgroup of Dn isomorphic to Z)^/2- 
The group Dn has two such subgroups: 

Fo^{x^,y) Fi = {x-,yx). 

The subgroup mod 2 contains H and the other one does not, 
so we can pass to one of these subgroups if and only if we 
know s mod 2. 

For any finite set S, the notation C[S] denotes a Hilbert 
space with 5 as an orthogonal basis. (This is the quantum 
analogue of a classical data type that takes values in S.) De- 
fine the constant pure state \S) in C[S], or more generally in 
C[T] for any T D 5, as the superposition 



\s\h 



\s) 



For the moment let us assume an arbitrary finite hidden sub- 
group problem f : S with hidden subgroup H. Assuming 
that there is a classical circuit to compute /, we can dilate it 
to a unitary embedding 

Uf : C[G] ^ C[G] (8)C[5] = C[G x S] 



which evaluates / in the standard basis: 

Uf\8)^\8j{g)). 

All finite hidden subgroup algorithms, including ours, begin 
by computing 

Uf\G) 

and then discarding the output register C[S], leaving the input 
register for further computation. The result is the mixed state 

Pg///= |^El^«) (-^"l 

on the input register C [G] . 

Many works on hidden subgroup algorithms describe these 
steps differently | 7, 8, 9j.l0j 18, 22]. Instead of defining Uf as 
an embedding that creates f{g), they define it as a unitary op- 
erator that adds /(^) to an ancilla. They describe its output as 
measured rather than discarded, and they describe the mixed 
state pQ/H as a randomly chosen coset state \Ha). We have 
presented an equivalent description in the formalism of mixed 
states and quantum operations 1 18, Ch.8]. 

Now let G = Dn with = 2". The general element of Dn 
is g — y'x" with s G 'E/N and t S Z/2. Thus the input reg- 
ister C[Z)Ar] consists of n qubits to describe s and 1 qubit to 
describe t. The second step of our algorithm is to apply a 
unitary operator to Pd^/h which is almost the character trans- 
form rSection [8.2> . Explicitly, we apply the quantum Fourier 
transform (QFT) to \s). 



Fn 



and then measure k E Z/N. The measured value is uniformly 
random, while the state on the remaining qubit is 

IV/A-)- |0)+e2'^'*^^-/^|l). 

(The symbol "o=" means "proportional to", so that we can omit 
normalization and global phase.) We will always create the 
same state Pd^/h perform the same measurement, so we 
can suppose that we have a supply of 2'^^'^ states jy/^.), each 
with its own known but random value of k. 

Note that | Xf/^^) and | xf//^) caiTy equivalent information about 
s, because 



\¥-k) =X\\l/k), 



(1) 



where X is the bit flip operator. They will be equivalent in our 
algorithms as well. 

We would like to create the state 

iv/2„_o-io)+(-irii) 

because its measurement in the |±) basis reveals the parity of 
s. To this end we create a sieve which creates new 1 1//^^) 's from 
pairs of old ones. The sieve increases the number of trailing 
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zeroes a{k) in the binary expansion of ^. Given and \y/e), 
their joint state is 

|V/^)®|V^,)oc|0,0)+e2-^-^-/^|l,0) 

^^2;r,K/A'|0,l)+e2;r,-(<:+f)/iV|^^^^ 

We now apply a CNOT gate 



\a,a - 



and measure the right qubit. The left qubit has the residual 
state 



2m(A:±£).v, 



/A'll) 



and the label k±i, which is inferred from the measurement of 
a + b. Thus we have a procedure to extract a new qubit | \l/k±e) 
from the old qubits and \y/e)- The extraction makes an 
unbiased random choice between k + £ and k — £. We may 
well like the extracted qubit better than either of the old ones. 

By iterating qubit extraction, we can eventually create the 
state that we like best, li/Zji-i)- We will construct a sieve that 
begins with 2®('>/"' qubits. Each stage of the sieve will repeat- 
edly find two qubits | y/it) and | y/g) such that k and £ agree in 
@{y/n) low bits in addition to their trailing zeroes. With prob- 
ability |, the label k±£ of the extracted qubit has more 
trailing zeroes than k or £. If the sieve has depth &{y/n), we 
can expect it to produce copies of | y/2"- 1 ) ■ 

In conclusion, here is a complete description of the algo- 
rithm to find a hidden reflection in Dn with N = 2". Also let 
m = \\/n— 1] . 



Algorithm 1. Input: An oracle / : Dn 
subgroup H = {yx') and N — 2". 



S with a hidden 



1. Make a list Lq of copies of the state Pd^/h by ^PPlying 

the dilation £>/ to the constant pure state \Dn) and dis- 
carding the input. Extract \ y/ii) from each Pdn/h with a 
QFT-based measurement. 

2. For each < y < m, we assume a list Lj of qubit states 

such that k has at least mj trailing zeroes. Divide 
Lj into pairs of qubits and jy/f) that share at least 
m low bits (in addition to trailing zeroes), or « — 1 — m j 
bits if m — Extract the state | \l/k±d from each pair. 
Let the new list Lj^i consist of those qubit states of the 
form ly/k-e)- 

3. The final list L,„ consists of states |v/o) and \\j/2,i-i). Mea- 

sure a state |i/2"-i) '^^e |±) basis to determine the 
parity of the slope s. 

4. Repeat steps 1-3 with the subgroup of Dn which is isomor- 

phic to Z)^/2 and which contains H. 



3.1. Proof of the complexity 

Theorem 3.1. Algorithm \7} requires queries and 

computation time. 



Proof. In outline, if \Lj \ ^ 2"', then we can pair almost all of 
the elements of Lj so that k and £ share m low bits for each pair 
I V'i) and ji/f). Then about half of the pairs will form Lj+i, so 
that 

\Lj+i\ 1 
\Lj\ ~4- 

We can set |L„,| = 0(2"'). Working backwards, we can set 
|Lo| = ©(8"'). The computation time consists of tasks with 
only logarithmic overhead. 
In detail, we will assume that 

\Lj\>C,„-j2'"'-^j 

for a certain constant 9 > Q > 3. We will bound the probabil- 
ity that this assumption survives as j increases. The constants 
are defined by letting Co = 3, and letting 



Ck-i 



t-lk 



1-2 



-k-k 



by induction on k. It is not hard to check that 



Ck > Ck- 1 



limQ <9. 



(A calculator may help for the first few terms of the limit, the 
worst case being m— 1 .) 

Since we create Lq directly from oracle calls, we can set 



3m 



|Lo|=Co2 

Given Lj, let Pj be a maximal set of pairs \\f/k) and \ with 
m low matching bits. Then 



1^/1 > 



> 



2>Cj(l-22.'-2'") 



because there are at most 2'" unmatched pairs. The list Lj+i is 
then formed from Pj by summand extraction, so | can be 
understood as the sum of independent, unbiased Bernoulli 
random variables. In general if is a sum of unbiased 
Bernoulli random variables, then 

< < {coshbfe-'^''' < e-^''/\ 

(The first inequality is the Chernoff bound on large devia- 
tions.) Setting 

b = 2'~^, 

we learn that 

23m-2,/(c^._22;-2m)(l„2-''-3^) 



\Lj+l\> 



with probability at least 



4 



= Cj+i2 
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Finally by induction on j, 

m _ ^ 

p[\Pj\ > c^-j2'"'-^j yj] > (1 )" 1 

as m — > °o. 

Thus the final list L,„ is very likely to be large. Since the 
highest bit of A; in | y/i^) was never used for any decisions in 
the algorithm, it is unbiased Bernoulli for each entry of L,„. 
Therefore L,„ is very likely to contain copies of | i/Zy'- 1 ) ■ ^ 

4. SOME MOTIVATION 



Thus the state li//^,) can provide a coin flip with this bias. We 
call such a coin flip a cosine observation of the slope s. Et- 
tinger and H0yer showed that s is revealed by a maximum 
likelihood test with respect to (9 (log A^) cosine observations 
with random values of k. They suggested a brute-force search 
to solve this maximum likelihood problem. Our first version 
of Algorithm Q] was a slightly subexponential, classical sieve 
on cosine observations that even more closely resembles the 
Blum-Kalai-Wasserman algorithm. Replacing the cosine ob- 
servations by the qubit states | y/^.) themselves significantly ac- 
celerates the algorithm. 



Algorithm^can be motivated by related ideas in represen- 
tation theory and the theory of classical algorithms. 

On the representation theory side, the input space C[DAr] 
has an orthogonal decomposition into 2-dimensional repre- 
sentations Vk of Dn, 

C[Dn] = Va-. (2) 

keZ/N 

This means that each element of D^^ is represented by a uni- 
tary operator on C[Da?] (given by left multiplication) and each 
Vk is an invariant subspace, so that each element of is also 
represented by a unitary operator on each Vi |2, §9.2]. Every 
orthogonal decomposition of a Hilbert space corresponds to a 
projective measurement 1 18, §2.2.5]; this particular measure- 
ment can be computed using a QFT. 

In the representation Vi, the generators x and y are repre- 
sented as follows: 



Since the state \Ha) is invariant under the represented action 
of H, the residual state | y/k) is too. Thus abstract representa- 
tion theory motivates the use of this state to find H. Note also 
that Vk = y_jt as representations, as if reflected in the equiva- 
lence between \\j/k) and Ixj/^k) in equation Q. 

The representation is irreducible except when ^ = or 
k ~ N/2. Thus equation (|2j is not far from the Burnside de- 
composition of C[G] into irreducible representations in the 
special case G — Dn- When expressed as a unitary operator, 
the Burnside decomposition is called the character transform 
or the non-commutative Fourier transform. (Measuring the 
character name solves the hidden subgroup problem for nor- 
mal subgroups 1 10] and almost normal subgroups |9].) Using 
the target of Algorithm^is motivated by its reducibil- 
ity; the measurement corresponding to its irreducible decom- 
position is the one that reveals the slope of s. 

On the algorithm side, the sieve in Algorithm[2is similar to 
a sieve algorithm for a learning problem due to Blum, Kalai, 
and Wasserman |5] and to a sieve to find shortest vector in a 
lattice due to Ajtai, Kumar, and Sivakumar [JJ. 

Ettinger and H0yer 0] observed that if the state | \j/k) for the 
hidden subgroup H = (x^y) will be found in the state | y/j/) for 
a reference subgroup H' = {£y) with probability 

cos{ni{s-t)k/Nf-. 



5. OTHER ALGORITHMS 

Algorithmnpresents a simplified sieve which is close to the 
author's original thinking. But it is neither optimal nor fully 
general. In this section we present several variations which 
are faster or more general. 

The first task is to prove Theorem I 1 . 1 I when N is not a power 
of 2. Given any qubit state | y/^^), we can assume that < A: < 

since | y/^.) and | yf-k) are equivalent. The list Lj will consist 
of qubits \ yik) with 

Q<k<2"'^-"'^+\ 

where 

m = [V(log2A^)-2] . 

Another difference when is not a power of 2 is that the 
quantum Fourier transform on "i/N is more complicated. An 
efficient approximate algorithm was given by Kitaev 1 14]; an- 
other algorithm which is exact (in a sense) is due to Mosca 
and ZalkaO- 

Algorithm 2. Input: An oracle / : S with a hidden 

subgroup H — {yx"). 

1. Make a list Lq of copies of Pdn/h- Extract a qubit state 

I yfj^ from each Pdn/h using a QFT on "L/N and a mea- 
surement. 

2. For each < /' < m, we assume a list Lj of qubit states | y/^) 

such that < A: < 2"^"'"^+'. Randomly divide Lj into 
pairs of qubits and that such that 

Let the new list Lj+\ consist of those qubit states of the 
form \yf\k-t\)- 

3. The final list L„j consists of states |i//o) and ji/i). Perform 

the Ettinger-H0yer measurement on the copies of | y/i ) 
with different values of t to learn s e "L/N to within 
A^/4. 

4. Write = 2"M with M odd. By the Chinese remainder 

theorem, 

Cn — C2^' X Cm- 
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For each 1 < j < [log2A^], apply Algorithm ^ to pro- 
duce many with 2™"("'-')|A:. Then repeat steps 1-4 
after applying the group automorphism jc i— > ^ to the 
Cm factor of D^. This produces copies of IWij)^ hence 
cosine observations cos(7r;2-'(i — t) /N)^. These obser- 
vations determine s. 

The proof of Theorem l3. ll carries over to show that Algo- 

rithm|2]also only requires queries, and quasilinear 

time in its data. The only new step is to check that in the fi- 
nal Hst Lm, the qubit states |y/o) and are almost equally 
likely. This is a bit tricky, but inevitable given that the lowest 
bit of k can be almost uncorrected with the way that | y//.) is 
paired. 

Remark. Peter H0yer describes a simplification of Algo- 
rithml2l Ll 1.1 . Given only one copy each of 

\wi)Aw2),---,\w2k), 

with 2*^ > A^, the slope s can be recovered directly by a quan- 
tum Fourier transform. More precisely, the measured Fourier 
number t of these qubits reveals s by the relation 

t s 

This simplification saves a factor of <9(logA^) computation 
time. 

Now suppose that = r" for some small radix r; Algo- 
rithm ^ generalizes to this case with only slight changes. It 
is natural to accelerate it by recasting it as a greedy algo- 
rithm. To this end, we define an objective function a{k) that 
expresses how much we like a given state 1 1//^,) . Namely, let 
ak be the number of factors of r in k, with the exception that 
a(0) = 0. Within the list L of qubit states available at any 
given time, we will greedily pick jv/^.) and ji/^') to maximize 
a{k±(.). It is also natural to restrict our greed to the qubits 
that minimize a, because there is no advantage to postponing 
their use in the sieve. 

Algorithm 3. Input: An oracle / : — > S with a hidden 

subgroup H = {yx^) and N = r". 

1. Make a list L of qubit states \y/k) extracted from copies of 

PDn/H- 

2. Within the sublist L' of L that minimizes a, repeatedly ex- 

tract \\j/(^)k±i) from a pair of qubits |\//^,) and that 
maximize a{kzt£). 

3. After enough qubits ji/i) appear with y\k, measure s 

mod r using state tomography. Then repeat the algo- 
rithm with a subgroup of Dn isomorphic to Z)^/,-. 

The behavior of Algorithm|3](but not its quantum state) can 
be simulated by a classical randomized algorithm. We include 
the source code of a simulator written in Python with this ar- 
ticle L15i] with r = 2. Our experiments with this simulator led 



to a false conjecture for algorithm's precise query complexity. 
Nonetheless we present some of its results in Table [2 The 
last line of the table are roughly consistent with Theorem l5.ll 
Note that the sieve is a bit more efficient when r = 2 because 
then k±£ increases by 1 in the unfavorable case and at least 2 
in the favorable case. 



Queries 


3 3^ 


33 


3'^ 3^ 3'' 3^ 


3** 


Zeroed bits 


3.62 6.75 


12.53 


19.07 27.14 36.44 47.51 


59.76 


^21083 2" 


2.14 2.92 


3.98 


4.91 5.85 6.78 7.74 


8.68 



Table 1: Average cancelled bits in a simulation (100 trials). 



Theorem 5.1. Algorithm\3\requires 0(3^^^^) queries and 
quasilinear time in the number of queries. 

Here is a heuristic justification of the query bound in Theo- 
rem l5.1l We assume, as the proof will, that r = 3 and N = 3". 
Then with 3'^ queries, we can expect qubit extraction to ini- 
tially cancel about V2n ternary digits (trits) with probability 
J. If we believe the query estimate for n' < n, then we can 
expect the new qubit to be about 3 times as valuable as the old 
one, since 




Such a qubit extraction trades 2 qubits for 1 qubit which is 
half the time equivalent to the original 2 and half the time 3 
times as valuable. Thus each step of the sieve breaks even; it 
is like a gamble with $2 that is equally likely to return $1 or 
$3. 

Proof. (Sketch) We will show that the sieve produces states 
IVciN/r) (which we will call final states) with adequate prob- 
ability when provided with at least queries. The 
work per query is quasilinear in |L| (initially the number of 
queries) if the list L is dynamically sorted. To simplify the 
formulas, we assume that r = 3, although the proof works for 
all r. 

We can think of a qubit state 1 1/^) as a monetary asset, val- 
ued by the function 

Thus the total value V{L) of the initial list L is at least 
y(L) > Cn. 

We claim that over a period of the sieve that increases min a 
by 1, the expected change in V{L) is at worst C. Since min a 
can only increase « — 1 times, V{L) >C when min a = « — 1. 
Thus the sieve produces at least C final states on average. 
Along the way, the changes to V{L) are independent (but not 
identically distributed) Bernoulli trials. One can show using 
a version of the Chernoff bound (as in the proof of Theo- 
rem l3.1> that the number of final states is not maldistributed. 
We will omit this refinement of the estimates and spell out the 
expected behavior of V{L). 
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Given k, let 



fi=^{k)=n-\-a{k) 



for short, so that j3 can be thought of as the number of uncan- 
celled trits in the label k of \\^k)- Suppose that two labels k 
and £ or —I share m trits in addition to a{k) cancelled trits. 
Then 



v{k)^v{i) = y 



(3) 



The state | '^fk±i) extracted from 1 1//^) and | has the expected 
value 



E[V{k±i)] 



3-v^ + 3-\/2(F^ 



> 2V(k) 
using the elementary relation 



1 + 3'"W^P 



2m 



(4) 



215 + ^W 



> 



The most important feature of equation (|4} is that if m > 
\/2p, the expected change in y(L) is positive. Thus in bound- 
ing the attrition of V (L) , we c an assume that m < y^2p for the 
best-matching qubits and in the sublist L' that min- 
imizes a. By the pigeonhole principle, this can only happen 
when 

\L'\ < 3^. 

(To apply the pigeonhole principle properly, use the equiva- 
lence between | y/^) and | V^_<^) to assume that the first non-zero 
digit is 1. There are then 3'" choices for the next m digits.) 

When qubit extraction decreases V{L), it decreases by at 
worst the value of one parent, given by the right side of Q- 
Likewise if |L' | = 1 and its unique element | y/^.) must be dis- 
carded, the loss to y(L) is again the right side of (|3}- Thus the 
total expected loss as L' is exhausted is at most 

3-^2^3^21 < 1. 

We can therefore take C = 1, although a larger C may be con- 
venient to facilitate the Chernoff bound. □ 

Remark. A close examination of Algorithm |3l and Theo- 
rem l5.1l reveals that the sieve works with the same complexity 
bound if factors as 

N = NiN2...N,n 

and Nk is within a bounded factor of 3*^. In this case the sieve 
will determine s mod A^i . This is enough values of to extend 
to an algorithm for all by the method of spliced approxima- 
tion Section0 



6. GENERALIZED DIHEDRAL GROUPS AND HIDDEN 
SHIFTS 

In this section we consider several other problems that are 
equivalent or closely related to the hidden dihedral subgroup 
problem. 

In general if A is an abelian group, let exp(A) denote the 
multiplicative form of the same group. Let C„ ~ exp(Z/«) be 
the multiplicative cyclic group of order n. If A is any abelian 
group, define the generalized dihedral group to be the semidi- 
rect product 

Da = C2 X exp(A) 



with the conjugation relation 



-yxy 



for all X £ exp(A) and for the non-trivial y £ €2- Any element 
of the form yx is a reflection in Da- 

Suppose that A is an abelian group and f,g:A^S are two 
injective functions that differ by a shift: 

f{a)=g(a + s). 

Then the task of finding s from / and g is the abelian hidden 
shift problem. Another problem is the hidden reflection prob- 
lem in A (as opposed to in Da). In this problem, / : A ^ 5 is 
a function which is injective except that 



f{a)^f{s^a) 



for some hidden s. 



Proposition 6.1. If A is an abelian group, the hidden shift and 
hidden reflection problems in A are equivalent to the hidden 
reflection problem in Da. 

See Table|2]for an example. 



a 


1 


2 

X X 


x3 


x4 


x5 


x« 


x^ 


/(«) 


A 


B C 


D 


E 


F 


G 


H 


a 


y 


2 

yx yx 


3 

yx' 


4 

yx 


yx^ 


yx^ 


7 

yx 


/(«) 


F 


G H 


A 


B 


C 


D 


E 



Table 2: An oracle that hides (yx^) in Dg and its hidden shift. 



Proof If a £ A, let x° denote the corresponding element in 
exp(A). Given f,g:A^S, define 



h{x")^fia) hiyx")=gia). 



Then evidently 



if and only if 



hix") = h{yx'+") 



f{a)^g{a + s). 
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We can also reduce the pair / and ^ to a function with a 
hidden reflection. Namely let 5'^' be the set of unordered pairs 
of elements of S and define h :A ^ S^^^ by 

h{a) {f{-a),g{a)}. 

Then h is injective save for the relation 

/i(fl) = h{s — a). 

Contrariwise suppose that h:A^Sis injective save for the 
relation 

h{a) = h{s — a). 
If there is a v e A such that 2v 7^ 0, define 

by 

/(fl) {h{—a),h{v~a)) g{a) — {h{a) , h{a ~ v)) . 

(If A is cyclic, we can just take v = 1.) Then / and g are 
injective and 

f{a)=g{a + s). 

If all V eA satisfy 2v = 0, then h hides a subgroup of A gen- 
erated by s, so we can find s by Simon's algorithm. □ 

Note also that ProDosition l2. II generalizes readily to gener- 
alized dihedral subgroups: finding a hidden reflection in Da is 
as difficult as finding any hidden subgroup. 

A final variation of DHSP is the hidden substring problem. 
In the N ^ M hidden substring problem, 

/:{0,1,2,...,A^-1}^5 
^:{0,1,2,...,M-1}^5 

are two injective functions such that / is a shifted restriction 
of g, i.e., 

f{x) =g{x + s) 
for all < X < and for some fixed < s < M -N. 



7. MORE ALGORITHMS 

In this section we will establish a generalization of Theo- 
rem ll.ll and a corollary: 

Theorem 7.1. The abelian hidden shift problem has an al- 
gorithm with time and query complexity 2^^'^\ where n is 
the length of the output, uniformly for all finitely generated 
abelian groups. 

Corollary 7.2. The N ^ 2N hidden substring problem has an 
algorithm with time and query complexity 2'^('^'°S ^\ 



The proof of Corollarv l7.2l serves as a warm-up to the proof 
of Theorem 17. II It introduces a technique for converting hid- 
den shift algorithms that we call spliced approximation. 

Proof of Corollarv \7.2\ Identify the domain of / with Z/N. 
(No matter that this identification is artificial.) Make a random 
estimate t for the value of s, and define h : Dn Shy 

g'{n)=g{n + t). 

If f is a good estimate for s, then / and g' approximately hide 
the hidden shift s — t. If we convert / and g to a function 
h : S, then apply its dilation Ui, with input jD^r) and 

discard the output, the result is a state p/, = Pf ^1 which is 
close to the state Pd^/h used in Algorithmic] 

We need to quantify how close. The relevant metric on 
states for us is the trace distance |18, §9.2]. In general if p 
and p' are two states on a Hilbert space J^, the trace distance 
Hp — p' 1 1 is the maximum probability that any measurement, 
indeed any use in a quantum algorithm, will distinguish them. 
In our case, 

I|pft-PD„///Il = ^^- 

If 

[■^'^l _ 9-0(x/I5FAr) 
A' " 

then with bounded probability, Algorithm|2will never see the 
difference between p/, and Pdn/h- Thus 2'^('^'°s guesses 
for s suffice. □ 

A second warm-up to the general case of Theorem 17. H is 
the special case A = Z. Recall that more computation is al- 
lowed for longer output. Suppose that the output has n bits, 
i.e., the shift s is at most 2". In the language of determinis- 
tic hiding, we restrict the domain of /,g : Z 5 to the set 
{0, 1,2, . . . ,2'"}, where m = n + @{^/n), and interpret this set 
as Z/2'". Then / and g approximately differ by the shift s. If 
we form the state pfg as in the proof of Corollarv l7.2l then its 
trace distance from the state Po/y/H^ with = 2"', is 2^*^'^'. 
Thus Algorithm|2]will never see the states differ 

Sketched proof of Theorem \7.1\ In the general case, the clas- 
sification of finitely generated abelian groups says that 

A = Z^ e Z/A?i e Z/A^2 © • • • © Z/A^fl- 

Assuming a bound on the length of the output, we can truncate 
each Z summand of A, as in the case A = Z. (We suppose that 
we know how many bits of output are allocated to each free 
summand of A.) Thus we can assume that 

A = Z/Ni e Z/N2 ® • • • ® Z/Na, 

and the problem is to find s in time 2'^(v''°g I'^D . In other words 
the problem is to solve HSP for a finite group D^. 

The general element of Da can be written y'x" with f e Z/2 
and a E A. Following the usual first step, we can first pre- 
pare the state Pda/h- Then we can perform a quantum Fourier 
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transform on each factor of A, then measure the answer, to 
obtain a label 



k= {ki,k2,...,ka) e A 



and a qubit state 



(As in Section|3 this state is //-invariant in a two-dimensional 
representation Vk of Da-) We will outline a sieve algorithm 
to compute any one coordinate of the slope, without loss of 
generality Sa- 

As in Algorithmic] we will guide the behavior of the sieve 
by an objective function a on A. Given k, let b{k) be the first 
j such that kj 0. If b < a, then let 



«W - I [1 +l0g2(A^; + 1)1 - nog^ik, + 1)1 . 

If ^7 = fl, then let 



«« = Eri+iog2(A^,+i)i- 



As in Algorithm|3l we produce a list L of 2^(Vi°g qubits 
with states ly/^.). Within the minimum of a on L, we re- 
peatedly find pairs \\j/k) and that maximize a{k + i) or 
a{k~i), then we extract | y/k+e) from each such pair. The end 
result is a hst of qubit states | y/k) with 

^=(0,0,...,0,^„). 

The set of k of this form is closed under sums and differences, 
so we can switch to Algorithmic] to eventually determine the 
slope Sa- □ 

Note that many abelian groups A are not very different 
from cyclic groups, so that the generalized dihedral group 
can be approximated for our purposes by a standard dihedral 
group. For example, if A = Z" is free abelian with many bits 
of output allocated to each coordinate, then we can pass to a 
truncation 

Z/Ni(BZ/N2®---(BZ/Na 
with relatively prime N/s. In this case the truncation is cyclic. 



8. HIDDEN SUBGROUP GENERALITIES 

In this section we will make some general observations 
about quantum algorithms for hidden subgroup problems. Our 
comments are related to work by Hallgren, Russell, and Ta- 
Shma llOll and by Grigni, Schulman, Vazirani, and Vazirani 



8.1. Quantum oracles 

The first step of all quantum algorithms for the hidden sub- 
group problem is to form the state Pg/H^ or an approximation 
when G is infinite, except when the oracle f : G ^ S has spe- 
cial properties. 

Suppose that a function f : G S that hides the subgroup 
H. We can say that / deterministically hides H because it is 
a deterministic function. Some problems in quantum compu- 
tation might reduce to a non-deterministic oracle f : G-^ , 
where ,Jf is a Hilbert space. We say that such an / orthog- 
onally hides // if / is constant on each right coset Ha of H 
and orthogonal on distinct cosets. If a quantum algorithm in- 
vokes the dilation Df of f and then discards the output, then 
it solves the orthogonal hidden subgroup problem as well as 
the deterministic one. 

Computing D/^ and discarding its output can also be viewed 
as a quantum oracle. A general quantum computation involv- 
ing both unitary and non-unitary actions can be expressed as 
a quantum operation 1 18, Ch.8]. In this case the operation is 
a map i^g/// on ^(C[G]), where in general ^4^{Jf) denotes 
the algebra of operators on a Hilbert space J^f. It is defined 
by 



<^G/H{\a){b\)- 



\a){b\ 



if Ha ^Hb 
if Ha ^Hb 



We say that the quantum oracle (Sg/// projectively hides the 
subgroup H. Unlike deterministic and orthogonal oracles, the 
projective oracle is uniquely determined by H. Again, all 
quantum algorithms for hidden subgroup problems work with 
this more difficult oracle. 

Finally if G is finite, the projective oracle S'g/h can be ap- 
plied to the constant pure state | G) to produce the state 

pG/H^j^^L\Ha){Ha\. 

So an algorithm could use a no-input oracle that simply broad- 
casts copies of Pg/h- Such an oracle coherently hides H. This 
oracle has been also been called the random coset oracle i20ll 
because the state Pc/H is equivalent to the constant pure state 
\Ha) on a uniformly randomly chosen coset. Almost all exist- 
ing quantum algorithms for finite hidden subgroup problems 
only need copies of the state Pc/u- Algorithm and Algo- 
rithm|3]are exceptions: They use Pdn/h to find the parity of 
the slope s, then relies on ^Dn/h with other inputs (constant 
pure states on subgroups) for later stages. The possibly slower 
algorithm Algorithm^ works with the coherent oracle; it uses 
only Pdn/h- 

The distinctions between deterministic, orthogonal, and 
projective hiding apply to any hidden partition problem. In 
one special case, called the hidden stabilizer problem 1 14], a 
group G acts transitively on a set S and a function f : S is 
invariant under a subgroup H CG. The hidden stabilizer prob- 
lem has enough symmetry to justify consideration of coherent 
hiding. It would be interesting to determine when one kind 
of hiding is harder than another. For example, if / is injec- 
tive save for a single repeated value, then there is a sublinear 
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algorithm for deterministic hiding f^. But projective hiding 
requires at least linear time and we do not know an algorithm 
for coherent hiding which is faster than quadratic time. 

In a variant of coherent HSP, the oracle outputs non- 
uniform mixtures of coset states \Ha) . The mixtures may even 
be chosen adversarially. This can make the subgroup H less 
hidden, for example in the trivial extreme in which the state is 
\H) with certainty. At the other extreme, we can always uni- 
formize the state by translating by a random group element. 
Thus uniform coherent HSP is the hardest representative of 
this class of problems. 

8.2. The character measurement 

The second step of all quantum algorithms for the generic 
hidden subgroup problem is to perform the character measure- 
ment. (The measurement in our algorithms is only trivially 
different.) The result is the name or character of an irreducible 
unitary representation (or irrep) V and a state in V . Mathemat- 
ically the character measurement is expressed by the Burnside 
decomposition of the group algebra C[G] as a direct sum of 
matrix algebras i2lll : 

c[G]-0^(y). 

V 

Here ^{V) is the algebra of operators on the irrep V; the 
direct sum runs over one representative of each isomorphism 
type of unitary irreps. The group algebra C[G] has two com- 
muting actions of G, given by left and right multiplication, 
and with respect to these two actions, 

so that the Burnside decomposition can also be written 

c[G] = 0y(»y*. (5) 

V 

In light of the identification with matrices, the factor of V* 
is called the row space, while the factor of V is the column 
space. 

The Burnside decomposition is also an orthogonal decom- 
position of Hilbert spaces, and so corresponds to a projective 
measurement on C[G]. This is the character measurement. A 
character transform is an orthonormal change of basis that re- 
fines equation (|5}- Its precise structure as a unitary operator 
depends on choosing a basis for each V . 

The state Pqjh has an interesting structure with respect 
to the Burnside decomposition. In general if is a finite- 
dimensional Hilbert space, let p/f denote the uniform mixed 
state on ; while if V is a representation of a group G, let V'^ 
denote its invariant space. It is easy to check that 

Pg/H = PC[G]" ' 

where G (and therefore H) acts on C[G] by left multiplication. 
In the Burnside decomposition, the left multiplication action 
on each V ®V* is trivial on the right factor V* and is just the 



defining action of G on V . Since Pc/// is the uniform state on 
all //-invariant vectors in C [G] , this property descends through 
the Burnside decomposition: 

Pg/// = 0Pv««)Pv*- 

V 

This relationhas two consequences. First, as has been noted 
previously |9], the state on the row space V* has no use- 
ful information. Second, since Pg/h decomposes as a direct 
sum with respect to the Burnside decomposition, the charac- 
ter measurement sacrifices no coherence to the environment; it 
only measures something that the environment already knows. 
Our reasoning here establishes the following proposition: 

Proposition 8.1. Let G be a finite group and assume an algo- 
rithm or oracle to compute the character transform on C[G]. 
Then a process provides the state Pc/H ''^ equivalent to a pro- 
cess that provides the name of an irrep V and the state PyH 
with probability 

_ (dimV)(dimV^)|//| 



Proposition IS . 1 I sharpens the motivation to work with irreps 
in the hidden subgroup problem. If you obtain the state Pg///, 
and if you can efficiently perform the character measurement 
on states, then you might as well apply it to p^///. 

Proposition IS . 1 1 and the definition of coherent HSP in Sec- 
tion suggest another class of oracles related to the hidden 
subgroup problem. In general an oracle might provide the 
name of a representation V and a state p which is some mix- 
ture of //-invariant pure states in V . It is tempting to describe 
such a p as //-invariant, but technically that is a weaker con- 
dition that also applies to other states. For example, the uni- 
form state on V is //-invariant. So we say that p is purely H- 
invariant if it is supported on in the //-invariant space . For 
example, the uniform state p^ jfj is purely //-invariant. More 
generally the purely //-invariant state on C [G] are exactly the 
mixtures of constant pure states of right cosets \Ha) . 

Proposition 8.2. Let G be a finite group. Then any purely 
H -invariant state p on C[G] can be converted to Pg/h- 
the presence of an algorithm or oracle to perform the charac- 
ter transform on C[G], any purely H -invariant state p on any 
irrep V can be converted to Pg/h- 

Proof. If we right-multiply p by a uniformly random element 
of G, it becomes Pg/h- If we perform the reverse character 
transform to a purely //-invariant state p on V, it becomes a 
purely //-invariant state on p^ itself. □ 

The message of Proposition IS. 2l is that the uniform mixture 
Pg/h reveals the least information about H among all mix- 
tures of coset states \Ha). The distribution on irreps V de- 
scribed in Proposition lS.il together with the uniform state on 
, also reveals the least information about H among all such 
distributions. 
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9. A GENERAL ALGORITHM 

In this section we will discuss a general algorithm for co- 
herent HSP for an arbitrary finite group G and an arbitrary 
subgroup H. It is an interesting abstract presentation of all 
of the algorithms for dihedral groups in this paper Unfortu- 
nately it might not be directly useful for any groups other than 
dihedral groups. 

The algorithm uses the definitions and methods of Sec- 
tion 18.21 together with a generalized notion of summand ex- 
traction. In general if V and W are two unitary representations 
of G, their tensor product decomposes as an orthogonal direct 
sum of irreps with respect to the diagonal action of G: 

V<»W^^J^^'^ <»X. (6) 

X 

Here again the direct sum runs over one representative of each 
isomorphism class of irreps. The Hilbert space J^*^'^ is the 
multiplicity factor of the decomposition; its dimension is the 
number of times that X arises as a summand ofV(E)W. The de- 
composition defines a partial measurement of the joint Hilbert 
space y (X) W, which extracts X (and J^f^^'^). If V and W carry 
purely //-invariant states, then the state on X is also purely 
//-invariant. 

Algorithm 4. Input: An oracle that produces Pq/h- 

1. Make a list L of copies of Pq/h- Extract an irrep V with a 

purely //-invariant state from each copy. 

2. Choose an objective function a on Irrep(G), the set of ir- 

reps of G. 

3. Find a pair of irreps V and W inL such that a{V) and a{W) 

are both low, but such that a is significantly higher for 
at least one summand ofV^W. Extract an irreducible 
summand X from V W and replace V and W inL with 
X. Discard the multiplicity factor 

4. Repeat step 3 until a is maximized on some irrep V. Per- 

form tomography on V to reveal useful information 
about H. 

5. Repeat steps 2-4 to fully identify H. 

For any given group G, Algorithml^requires subalgorithms 
to compute the character measurement (|5jl and the tensor de- 
composition measurement (|6}. Efficient algorithms for char- 
acter measurements and character transforms are a topic of 
active research |4, 16] and are unknown for many groups. We 
observe that tensor decomposition measurement at least re- 
duces to the character measurement: 

Proposition 9.1. Let V and W be irreducible representations 
of a finite group G. If group operations in G and summand 
extraction from C[G] are both efficient, then summand extrac- 
tion from V (i)W is also efficient. 



Proof. Embed V and W into separate copies of C[G] in a G- 
equivariant way. Then apply the unitary operator 

U{\a)(D\b)) = \b-^a)®\b) 

to C[G] C[G]. The operator U transports left multiplication 
by the diagonal subgroup Ga C G x G to left multiplication 
by G on the right factor Then summand extraction from the 
right factor of C[G] (X) C[G] is equivalent to summand extrac- 
tion from y (g) W, since, after U is applied, the group action 
on the right factor of C[G] X" C[G] coincides with the diagonal 
action on y X)W. □ 

In light of Beals' algorithm to compute a character trans- 
form on the symmetric group |4] and Proposition 19. II Algo- 
rithm 13 may look promising when G ~ S„ is the symmetric 
group. But the algorithm seems to work poorly for this group, 
because the typical irrep V of S„ is very large. Consequently 
the decomposition (|6|l typically involves many irreps of 5„. 
This offers very little control for a sieve. 

Note that if Algorithm |3 were useful for the symmetric 

group, its time complexity would be at best. This 

is the same complexity class as a known classical algorithm 
for the graph isomorphism or automorphism problem 01, 
which is the original motivation for the symmetric hidden sub- 
group problem (SHSP). We believe that general SHSP is ac- 
tually much harder than graph isomorphism. If graph isomor- 
phism does admit a special quantum algorithm, it could be 
analogous to a quantum polynomial time algorithm found by 
Van Dam, Hallgren, and Ip 1 24] for certain special abelian hid- 
den shift problems. (In particular their algorithm applies to the 
Legendre symbol with a hidden shift.) All of these problems 
have special oracles / that allow faster algorithms. 

One reason that SHSP looks hard is that symmetric groups 
have many different kinds of large subgroups. For example, if 
pi,P2, ■ ■ ■ ,p„ is a set of distinct primes, then 

^PlPl - Pn ^ ^P\+P2^ yPn 

(exercise). Thus DHSP reduces to SHSP. Hidden shift in the 
symmetric group also reduces to SHSP (exercise). 

The sieve of Algorithm 0] looks the most promising when 
the group G is large but y (g) W always has few terms. This 
is similar to demanding that most or all irreps of G are low- 
dimensional. So suppose that all irreps have dimension at 
most k and consider the limit |G| ^ 0° for fixed k. Passman 
and Isaacs iT2ll showed that there is a function f{k) such that 
if all irreps have dimension at most k, then G has an abelian 
subgroup exp(A) of index at most f{k). By the reasoning of 
Proposition l2.1l the hardest hidden subgroup H for a such a G 
is one which is disjoint from exp(A) (except for the identity). 
But by the reasoning of Section |6j any such hidden subgroup 
problem reduces to the hidden shift problem on A. The gener- 
alized sieve of Algorithm|4]is not as fast as the dihedral sieve 
on Da. 
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